Tag: CTF

HSCTF2020 Writeups

Posted on by sandrabino

Dis – Python Bytecode Challenge

The challenge was a python bytecode challenge where the approach I chose was to maually replicate the bytecode from the documentation of the dis module in python which took up a while. Im not sure if there’s a less time consuming approach but once that was done the reversing part was automated using Z3.

bytestring=b'\xae\xc0\xa1\xab\xef\x15\xd8\xca\x18\xc6\xab\x17\x93\xa8\x11\xd7\x18\x15\xd7\x17\xbd\x9a\xc0\xe9\x93\x11\xa7\x04\xa1\x1c\x1c\xed'
from z3 import *


def a(s):
    o = [0] * 32
    for i in range(32):
        o[i] = ((s[i]+s[i])-60)
    return o
def b(s,t):
    for x,y in zip(s,t):
        yield(x+y)-50
def c(s):
    return [x+5 for x in s]

def e(s):
    s = [ i for i in s ]
    o = [ (o^5)-30 for o in b(a(s),c(s)) ]
    return o

def main():
    sol=Solver()
    o=b'\xae\xc0\xa1\xab\xef\x15\xd8\xca\x18\xc6\xab\x17\x93\xa8\x11\xd7\x18\x15\xd7\x17\xbd\x9a\xc0\xe9\x93\x11\xa7\x04\xa1\x1c\x1c\xed'
    l=list(o)
    s = [ BitVec('s[%s]' % i, 8) for i in range(32) ]
    s = e(s)
    for i in range(len(l)):
        sol.add(s[i]==l[i])
    print(sol.check())
    print(sol.model())
main()

And the flag we get is :flag{5tr4ng3_d1s45s3mbly_1c0a88}

Emojis – Misc

This challenge was made using emojigram language which is an esolang made using Emojis. All that we need to do is repicate the code in python and generate the flag from it by reversing the code.

The replicated code looked like this.
But since there are conditional jumps and all that we are given is the output when the flag is given, we have no choice but to guess whether the jumps are taken or not inorder to obttain the desired input.
And to achieve the same we played around with a few of the instructions and put together the possibilities to get the Flag.


flag=[120, 66, 94, 114, 95, 69, 110, 125, 73, 78, 99, 52, 118]
flag[9]=flag[9]+flag[1]
flag[7]=flag[7]+flag[11]
flag[2]=47
flag[4]=flag[4]+flag[11]
flag[0]=flag[0]+flag[2]
flag[8]=flag[8]-8
flag[6]=flag[6]+flag[8]
flag[6]=flag[6]-flag[8]
flag[6]=flag[6]-flag[8]
flag[10]=flag[10]+8
flag[11]=flag[11]-1
flag[4]=flag[4]-flag[9]
flag[3]=flag[3]-2
flag[2]=flag[2]-4
flag[0]=flag[0]-flag[11]
flag[1]=flag[1]-flag[3]
flag[1]=flag[1]+flag[3]
flag[1]=flag[1]+flag[3]
flag[1]=flag[1]-flag[7]
flag[3]=flag[12]
flag[2]=flag[2]+8
flag[9]=flag[9]-flag[6]
flag[2]=flag[2]+flag[4]
#flag[1]==flag[5]
#False
flag[2]=flag[5]
#flag[1]==flag[12]
#False
#flag[11]=flag[11]+flag[0]
flag[12]=118

Solved!

Flag: flag{tr3v0r-pAck3p}

APLab:English

Another java Reversing Challenge. We are given a java file which is to be reversed.

Solution:

s="1dd3|y_3tttb5g\`q]^dhn3j"
def unxor(string):
    ret=''
    xorstr=[4,1,3,1,2,1,3,0,1,4,3,1,2,0,1,4,1,2,3,2,1,0,3]
    for i in range(len(string)):
        ret+=chr(ord(string[i])^xorstr[i])
    return ret




def untranspose(string):
    ret=[None]\*23
    transpose=[11,18,15,19,8,17,5,2,12,6,21,0,22,7,13,14,4,16,20,1,3,10,9]
    for i in range(len(transpose)):
        ret[transpose[i]]=string[i]
    return ''.join(ret)


for i in range(3):
    s=unxor(s)
    print(s)
    s=untranspose(s)
    print(s)

The Output looks like this:

5eg2~x\3upwc7gau\\gjo3i
cj3o\\pg~i35uaug\xe2gw7
gk0n^]sgm04watc]zf0fw4
40gf]sma^4wgtc0z]knf0w
01dg_rna_0tf}tb4{_hlg0t
flag{n0t_t00_b4d_r1ght}

And we finally Obtain the flag!

HackIm’16 zorro_pub(Writeup)

Posted on by sandrabino
  • The binary zorro_bin is a stripped file.

In this challenge basically the binary asks you for a number initially, (that is the number of drinks ). And further asks for the drinks’ id’s.If the first input is x, then a loop runs for x times xoring the values of drink id’s , which becomes the seed to a rand function in the code. The drink ids have to have their value in the range (16,0xffff). The seed value is checked against a function which checks whether the bin(seed) has 10 1’s if the condition is satisfied , the seed for the rand function is set and the rand values are updated to a string which is MD5 hashed and eventually checked against a hardcoded hash in the binary. Thats pretty much much it for the description for the challenge.

Solution:

My approach to this was to write a python script to find the input that would give the hash.

import random
import hashlib
from ctypes import *
libc=CDLL('libc.so.6')
arr=[0x3c8,0x32,0x2ce,0x302,0x7f,0x1b8,0x37e,0x188,0x349,0x27f,0x5e,0x234,0x354,0x1a3,0x96,0x340,0x128,0x2fc,0x300,0x28e,0x126,0x1b,0x32a,0x2f5,0x15f,0x368,0x1eb,0x79,0x11d,0x24e]
for j in range(16,0xffff):
    n=j
    c=0
    while(n!=0 and n>0):
        c=c+1
        n=n&(n-1)
    if(c==10):
        n=j
        libc.srand(n)
        c=0
        st=''
        final=''
        for i in range(30):
            a = libc.rand()%1000
            st = st + str(a)
            final = final + chr((a^arr[i])&0xff)
        final =final+'0'
        result = hashlib.md5(st.encode())
        if(result.hexdigest()=='5eba99aff105c9ff6a1a913e343fec67'):
            print(j)
            print(a)
            break

This script will give two outputs the first one being the seed value.